请问如何从NtMapViewOfSection的HANDLE SectionHandle参数获取被映射的文件名呢？

septem · 发表于2007-12-29 09:29

请问如何从NtMapViewOfSection的HANDLE SectionHandle参数获取被映射的文件名呢？ [复制链接]

我在文件过滤驱动中hook了NtMapViewOfSection，目的是为了处理有文件头时，改变映射的偏移地址，现在需要在hook函数中，获取被映射的文件名。
我想到一种办法，就是也hook NtCreateSection，并通过NtCreateSection维护一个包括SectionHandle和文件名对应关系的表，在NtMapViewOfSection中通过这个表来获取文件名。
但不知道有没有在NtMapViewOfSection中直接从SectionHandle获取被映射的文件的方法呢？

milanmaldini

通过NtCreateSection的FileHandle

iloveyoulix

御魔的hips.sys中逆向出来的：

NTSTATUS GetProcessImageName(HANDLE SectionHandle, PCHAR ProcessImageName)
{
PVOID SectionObject;
PFILE_OBJECT FileObject;
UNICODE_STRING FilePath;
NTSTATUS Status;
UNICODE_STRING DosName;
STRING AnsiString;

SectionObject = NULL;
FileObject = NULL;
FilePath.Buffer = 0;
FilePath.Length = 0;
*ProcessImageName = 0;
Status = ObReferenceObjectByHandle(SectionHandle, 0, NULL, KernelMode, &SectionObject, NULL);
if ( NT_SUCCESS(Status) )
{
      FilePath.Buffer = (PWSTR)ExAllocatePoolWithTag(PagedPool, 0x200u, ' kdD');
      FilePath.MaximumLength = 512;
      FileObject = *((_DWORD *)SectionObject + 5);
      FileObject = *(_DWORD *)FileObject;
      FileObject = *(_DWORD *)(FileObject + 36);
      ObReferenceObjectByPointer((PVOID)FileObject, 0, NULL, KernelMode);
      RtlVolumeDeviceToDosName(FileObject->DeviceObject, &DosName);
      RtlCopyUnicodeString(&FilePath, &DosName);
      RtlAppendUnicodeStringToString(&FilePath, FileObject->FileName);
      ObfDereferenceObject(FileObject);
      ObfDereferenceObject(SectionObject);
      RtlUnicodeStringToAnsiString(&AnsiString, &FilePath, TRUE);
      if ( AnsiString.Length >= 256 )
      {
         memcpy(ProcessImageName, AnsiString.Buffer, 0x100u);
         *(ProcessImageName + 255) = 0;
      }
      else
      {
         memcpy(ProcessImageName, AnsiString.Buffer, AnsiString.Length);
         ProcessImageName[AnsiString.Length] = 0;
      }
      RtlFreeAnsiString(&AnsiString);
      ExFreePoolWithTag(DosName.Buffer, 0);
      ExFreePoolWithTag(FilePath.Buffer, 0);
      Status = STATUS_SUCCESS;
}

return Status;
}

tigerhaha

//根据 SECTION_OBJECT 获取全路径.

#define  SEGMENT_OFFSET 0x0014
#define  CTLAREA_OFFSET 0x0000
#define  FILE_OBJ_OFFSET 0x0024

BOOLEAN GetFullPathBySection(PVOID SectionObject,PCHAR szOutPutPath)
{

ULONG                               ProcObj = 0;
ULONG                               pOffset = 0;
PFILE_OBJECT                         pFile = NULL;
/* BOOLEAN                               bRel = FALSE;*/
WCHAR                               wszDrvSym[MAX_PATH];
ULONG                               nLen = 0;
UNICODE_STRING                      VolName;
NTSTATUS                            nStatus;

if (!SectionObject)
      return FALSE;
else if (!szOutPutPath)
      return FALSE;

pOffset = (ULONG)SectionObject;

pOffset = *(PULONG)(pOffset + SEGMENT_OFFSET); // Segment Offset
if (!pOffset)
      return FALSE;

pOffset = *(PULONG)(pOffset + CTLAREA_OFFSET); // ControlArea Offset
if (!pOffset)
      return FALSE;

pOffset = *(PULONG)(pOffset + FILE_OBJ_OFFSET); // File Object Offset
if (!pOffset)
      return FALSE;

pFile = (PFILE_OBJECT)pOffset;

/*       __asm int 3*/

nLen = pFile->FileName.Length;
nLen >>= 1;
nLen += 2;

if (nLen >= MAX_PATH)
      nLen = MAX_PATH - 1;

RtlInitUnicodeString(&VolName,wszDrvSym);
nStatus = RtlVolumeDeviceToDosName (pFile->DeviceObject,&VolName);
VolName.MaximumLength = MAX_PATH*sizeof(WCHAR);

/* bRel = GetObjectName((PVOID)pFile->DeviceObject,szDrvSym);*/

if (NT_SUCCESS(nStatus))
{

      RtlUnicodeStringCatUnicodeString(&VolName,&pFile->FileName);
      nLen = VolName.Length;
      nLen >>= 1;
      if (nLen >= MAX_PATH)
         nLen = MAX_PATH -1;

      wcstombs(szOutPutPath,VolName.Buffer,nLen);
      szOutPutPath[nLen] = 0;

}
else
{

      wcstombs(szOutPutPath,pFile->FileName.Buffer,nLen);
      szOutPutPath[nLen] = 0;

}
return TRUE;

}

moon2163913

接分是王道！

请问如何从NtMapViewOfSection的HANDLE SectionHandle参数获取被映射的文件名呢？ [复制链接]

最新回复